Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?

    Scheduled Pinned Locked Moved Firewalling
    54 Posts 10 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      abesh @disi1
      last edited by

      @disi1 Nope, nothing in Floating :( Should I have any ? I am a total noob and have not figured out everything :) I am guessing the Floating rules apply to both interfaces ?

      1 Reply Last reply Reply Quote 0
      • A
        abesh @disi1
        last edited by

        @disi1 Updated the rules screenshot. Had made some changes :)

        1 Reply Last reply Reply Quote 0
        • V
          viragomann @abesh
          last edited by

          @abesh said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:

          However Pihole still shows some devices on my network bypassing it. I do not know how that might be possible ?

          I'm wondering, what this screen shot tell us. How does pihole detect, what's bypassing it?

          For e.g. my eTeckcity smart plug (192.168.86.62) has only the following connections showing up on pfTop ?

          ditto
          This doesn't show a DNS connection. So why do you think, it bypasses the NAT of port 53?

          Also consider, that the NAT will only work, when you do masquerading on this connections. Otherwise you will run into asymmetric routing and the DNS requests will fail.

          A 1 Reply Last reply Reply Quote 0
          • A
            abesh @viragomann
            last edited by

            @viragomann said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:

            Also consider, that the NAT will only work, when you do masquerading on this connections. Otherwise you will run into asymmetric routing and the DNS requests will fail.

            I don't know what Masquerading is, I am pretty new to pfSense. How would I mitigate this situation ?
            I have these outbound NAT Rules running in hybrid mode :
            ba517a70-6903-4a04-8b81-bcddfe00bc84-image.png

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @abesh
              last edited by

              @abesh
              Yes, that's it.

              A 1 Reply Last reply Reply Quote 0
              • A
                abesh @viragomann
                last edited by

                @viragomann I can see that mostly all DNS is going through the pihole so dunno why it is showing as those not going through the DNS ?

                1 Reply Last reply Reply Quote 0
                • Raffi_R
                  Raffi_ @abesh
                  last edited by

                  @abesh Pi-hole will highlight devices not using it in red. I don't see any red entries on that first screenshot. Brown simply means that device has not had a query for over 24 hours. Did you see the legend at the bottom of that page which explains this? It could mean that a device has been turned off or not going out to the web, or it could mean that the device only contacts a specific server and it queried it at one point and then stored it in its local DNS cache. The devices could also be using DoH or DoT which your port 53 rules on the NAT will not catch.

                  You can keep the pfsense DNS settings at their default. You don't have to put it in forwarding mode. I would put that back the way it was. It is best to let pfsense do the queries to the root servers directly. Leave DNS servers as 127.0.0.1 and ::1. Then you have to set Pi-hole to use pfsense as the DNS server. Then in the DHCP settings of pfsense, make sure you enter the Pi-hole address as the DNS server so that any client that get an IP will be using Pi-hole unless they have their own settings which must manually be changed.

                  A 1 Reply Last reply Reply Quote 0
                  • A
                    abesh @Raffi_
                    last edited by

                    @Raffi_ Thanks a lot for the explanation of the Brown entries. That makes a lot of sense.
                    Actually I run unbound locally on pihole and use that. That's why the DNS resolver is in FW only mode.

                    Raffi_R 1 Reply Last reply Reply Quote 0
                    • Raffi_R
                      Raffi_ @abesh
                      last edited by

                      @abesh Oh I see. I never tried running unbound on Pi-hole. So you're doing the reverse of what I suggested? Which device is acting as your DHCP server? pfsense or Pi-hole? Is the DHCP server pushing the Pi-hole or pfsense IP for DNS?

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        abesh @Raffi_
                        last edited by abesh

                        @Raffi_ So pfSense is the DHCP server and it hands out the pihole's address as the DNS server. The pfSense DNS resolver is configured to forward queries to pihole only. I need the pfSense DNS to resolve local names. Since pihole is not the DHCP server only IPs show up in pihole logs instead of hostnames if I don't do it this way. Pihole queries it's own unbound server at 127.0.0.1#5335 and responds back to the DNS queries.

                        Raffi_R V 2 Replies Last reply Reply Quote 0
                        • Raffi_R
                          Raffi_ @abesh
                          last edited by

                          @abesh Interesting sounds a little more round about. To be honest, I can't even see where to enable unbound on Pi-hole natively. Is that officially supported by the Pi-hole project? I'm curious because I must be missing that?

                          AndyRHA A 2 Replies Last reply Reply Quote 0
                          • AndyRHA
                            AndyRH @Raffi_
                            last edited by

                            @Raffi_ The method is not much different than what I did.
                            https://forum.netgate.com/topic/156453/pfsense-dns-redirect-to-local-dns-server?_=1663853296484

                            There are plenty of docs on how to install unbound on PiHole. I did it and it works well.

                            o||||o
                            7100-1u

                            A 1 Reply Last reply Reply Quote 1
                            • A
                              abesh @Raffi_
                              last edited by

                              @Raffi_ Yup, officially supported by Pihole. Here's the documentation : https://docs.pi-hole.net/guides/dns/unbound/

                              Raffi_R 1 Reply Last reply Reply Quote 1
                              • A
                                abesh @AndyRH
                                last edited by

                                @AndyRH Hey Andy ! Yes, thanks to you I could get this up and running :)

                                1 Reply Last reply Reply Quote 0
                                • V
                                  viragomann @abesh
                                  last edited by

                                  @abesh said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:

                                  The pfSense DNS resolver is configured to forward queries to pihole only. I need the pfSense DNS to resolve local names.

                                  The DNS Resolver on pfSense will never get a request, since you forward any to the pihole.

                                  A 1 Reply Last reply Reply Quote 0
                                  • A
                                    abesh @viragomann
                                    last edited by

                                    @viragomann Agree. Maybe I should turn off the resolver and see what happens ?

                                    V keyserK 2 Replies Last reply Reply Quote 0
                                    • V
                                      viragomann @abesh
                                      last edited by

                                      @abesh
                                      You should rather redirect any traffic to pfSense. So it's treated by the DNS resolver and host overrides will take place, while other requests are forwarded to the pihole from the Resolver.

                                      1 Reply Last reply Reply Quote 1
                                      • keyserK
                                        keyser Rebel Alliance @abesh
                                        last edited by keyser

                                        @abesh Seems your setup is done correctly. Have you considered that the IP of those sessions might be hardcoded into the missing device?
                                        Otherwise it is likely some unknown DNS over HTTPS server you are not blocking - or vendor specific nameresolution method - in play.

                                        Love the no fuss of using the official appliances :-)

                                        A 1 Reply Last reply Reply Quote 0
                                        • A
                                          abesh @keyser
                                          last edited by

                                          @keyser That was my thought process as well. Seems like killing DoH is like playing whack-a-mole !!!

                                          V 1 Reply Last reply Reply Quote 0
                                          • V
                                            viragomann @abesh
                                            last edited by

                                            @abesh
                                            Hardcoded DNS IP will be redirected anyway.
                                            DoH can be an issue. You should consider to block DoH using pfBlockerNG.

                                            A keyserK 2 Replies Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.